Powered by MOMENTUM MEDIA
investor daily logo

Trustees on the hook for data security: APRA

  •  
By Tim Stewart
  •  
3 minute read

APRA has made it clear that super fund trustees are explicitly responsible for the data security of their service providers.

Prudential Standard CPS 234: Information Security has been drafted by the Australian Prudential Regulation Authority (APRA) in an attempt to “minimise the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information assets.”

This includes information ‘assets’ managed by related parties or third parties.

For super funds, which outsource a great deal of their operations to third parties, the proposed changes will heap new responsibilities on trustees’ shoulders.

==
==

Under APRA’s prudential guide, super trustees will be responsible for the data security of third parties used for member administration, investment management, insurance, data analytics and custodial services.

In a discussion paper accompanying the prudential standard draft, APRA notes that any outsourcing arrangements involving material business activities must be subject to “appropriate due diligence, approval and ongoing monitoring”.

“In complying with prudential requirements in respect of risks arising from outsourcing material business activities, an entity’s due diligence and ongoing monitoring should include an assessment of the information security capability of the outsourcing provider,” said APRA.

“Draft CPS 234 extends these requirements to include an assessment of the information security capability of all other outsourcing providers, commensurate with the potential consequences of an information security incident.”

Specifically, super trustees will be required to assess the control testing frameworks and audit assurance of outsourcing providers – and, importantly, to notify APRA when they discover information security ‘incidents’ and “control weaknesses”.

The prudential guide comes two weeks into the new mandatory data breach reporting regime, which officially began on 22 February 2018.

Under the new system, financial services providers (including super funds) will be required to report data breaches that are deemed “likely to cause serious harm” to the Office of the Australian Information Commissioner.